Wireless Security System and Method

1. A method comprising: receiving data from a roaming client at a new access point; transmitting a registration request to an access server from the new access point for the roaming client registered with the access server and previously in communication with an old access point; receiving a registration reply message from the access server at the new access point, the registration reply message comprising a ticket encrypted with a session key of the old access point and a context transfer key; transmitting a context request message from the new access point to the old access point, the context request message comprising the ticket and an authenticator; receiving a context response message from the old access point at the new access point, the context message comprising an updated authenticator and context information for the roaming client, said context information comprising state information and address bindings; and transmitting to the client, in response to a location discovery request, a ticket encrypted with a session key of a second client and containing a sidestream key used to provide private sidestream transmissions between the clients.

2. The method of claim 1 wherein the context transfer key is encrypted with the session key of the new and old access points.

3. The method of claim 1 wherein transmitting a context request message comprises sending a deregistration request to the old access point.

4. The method of claim 3 wherein the ticket is encrypted with the new access point's session key.

5. The method of claim 1 wherein the access server is configured to operate as a key distribution center.

6. The method of claim 1 further comprising automatically generating the context transfer key and the ticket by the access server when a client roams.

7. The method of claim 1 wherein the sidestream key is a WEP key.

8. The method of claim 1 wherein the sidestream key is an AES key.

9. The method of claim 1 further comprising decrypting the updated authenticator with the sidestream key.

10. An apparatus comprising: a processor configured for receiving data from a roaming client at the new access point, transmitting a registration request to an access server from the new access point for the roaming client registered with the access server and previously in communication with an old access point, receiving a registration reply message from the access server at the new access point, the registration reply message containing a ticket encrypted with a session key of the old access point and a context transfer key, transmitting a context request message from the new access point to the old access point, the context request message comprising the ticket and an authenticator, and receiving at the new access point, a context response message from the old access point the context message comprising an updated authenticator and context information comprising state information and address bindings for the roaming client; and memory for storing said context transfer key; wherein the processor is further configured to generate a ticket encrypted with a session key of a second client and containing a sidestream key used to provide private sidestream transmissions between the clients upon receiving a location discovery request from the roaming client.

11. The apparatus of claim 10 wherein the ticket is encrypted with the new access point's session key.

12. The apparatus of claim 10 wherein the access server is configured to operate as a key distribution center.

13. The apparatus of claim 10 wherein the context transfer key is encrypted with the session key of the new and old access points.

14. The apparatus of claim 10 wherein the processor is configured to send a deregistration request to the old access point.

15. The apparatus of claim 10 wherein the sidestream key is a WEP key.

16. The apparatus of claim 10 wherein the sidestream key is an AES key.

17. The apparatus of claim 10 wherein the processor is configured to decrypt the updated authenticator with the sidestream key.